dellemc.enterprise_sonic.sonic_l3_acls module – Manage Layer 3 access control lists (ACL) configurations on SONiC
Note
This module is part of the dellemc.enterprise_sonic collection (version 2.5.1).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic
.
To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_l3_acls
.
New in dellemc.enterprise_sonic 2.1.0
Synopsis
This module provides configuration management of Layer 3 access control lists (ACL) in devices running SONiC.
Parameters
Parameter |
Comments |
---|---|
Specifies Layer 3 ACL configurations. |
|
List of ACL configuration for the given address family. |
|
Specifies the ACL name. |
|
Specifies remark for the ACL. |
|
List of rules with the ACL. sequence_num, action, protocol, source & destination are required for adding a new rule. If state=deleted, options other than sequence_num are not considered. |
|
Specifies the action taken on the matched packet. Choices:
|
|
Specifies the destination of the packet. any, host and prefix are mutually exclusive. |
|
Match any destination network address. Choices:
|
|
Network address of a single destination host. |
|
Specifies the destination port (valid only for TCP or UDP) Only one suboption can be specified for port_number in a rule. |
|
Match packets with destination port equal to the given port number. The range is from 0 to 65535. |
|
Match packets with destination port greater than the given port number. The range is from 0 to 65534. |
|
Match packets with destination port lesser than the given port number. The range is from 1 to 65535. |
|
Match packets with destination port in the given range. begin and end are required together. |
|
Specifies the beginning of the port range. The range is from 0 to 65534. |
|
Specifies the end of the port range. The range is from 1 to 65535. |
|
Destination network prefix in the format A.B.C.D/mask (ipv4) or A::B/mask (ipv6). |
|
Match packets using DSCP value. Only one suboption can be specified for dscp in a rule. |
|
Match packets with AF11 DSCP (001010 - Decimal value 10). Choices:
|
|
Match packets with AF12 DSCP (001100 - Decimal value 12). Choices:
|
|
Match packets with AF13 DSCP (001110 - Decimal value 14). Choices:
|
|
Match packets with AF21 DSCP (010010 - Decimal value 18). Choices:
|
|
Match packets with AF22 DSCP (010100 - Decimal value 20). Choices:
|
|
Match packets with AF23 DSCP (010110 - Decimal value 22). Choices:
|
|
Match packets with AF31 DSCP (011010 - Decimal value 26). Choices:
|
|
Match packets with AF32 DSCP (011100 - Decimal value 28). Choices:
|
|
Match packets with AF33 DSCP (011110 - Decimal value 30). Choices:
|
|
Match packets with AF41 DSCP (100010 - Decimal value 34). Choices:
|
|
Match packets with AF42 DSCP (100100 - Decimal value 36). Choices:
|
|
Match packets with AF43 DSCP (100110 - Decimal value 38). Choices:
|
|
Match packets with CS1 DSCP (001000 - Decimal value 8). Choices:
|
|
Match packets with CS2 DSCP (010000 - Decimal value 16). Choices:
|
|
Match packets with CS3 DSCP (011000 - Decimal value 24). Choices:
|
|
Match packets with CS4 DSCP (100000 - Decimal value 32). Choices:
|
|
Match packets with CS5 DSCP (101000 - Decimal value 40). Choices:
|
|
Match packets with CS6 DSCP (110000 - Decimal value 48). Choices:
|
|
Match packets with CS7 DSCP (111000 - Decimal value 56). Choices:
|
|
Match packets with CS0 DSCP (000000 - Decimal value 0). Choices:
|
|
Match packets with EF DSCP (101110 - Decimal value 46). Choices:
|
|
Match packets with given DSCP value. The range is from 0 to 63. |
|
Match packets with VOICE-ADMIT DSCP (101100 - Decimal value 44). Choices:
|
|
Specifies the protocol to match. Only one suboption can be specified for protocol in a rule. |
|
Match packets with the given protocol.
Choices:
|
|
Match packets with given protocol number. The range is from 0 to 255. |
|
Specifies the additional packet match options for the chosen protocol. icmp, icmpv6 and tcp are mutually exclusive. |
|
Packet match options for ICMP. |
|
Match packets with given ICMP code. The range is from 0 to 255. |
|
Match packets with given ICMP type. The range is from 0 to 255. |
|
Packet match options for ICMPv6. |
|
Match packets with given ICMPv6 code. The range is from 0 to 255. |
|
Match packets with given ICMPv6 type. The range is from 0 to 255. |
|
Packet match options for TCP. established and other TCP flag options are mutually exclusive. |
|
Match packets with ACK flag set. Choices:
|
|
Match packets which are part of established TCP session. Choices:
|
|
Match packets with FIN flag set. Choices:
|
|
Match packets with ACK flag cleared. Choices:
|
|
Match packets with FIN flag cleared. Choices:
|
|
Match packets with PSH flag cleared. Choices:
|
|
Match packets with RST flag cleared. Choices:
|
|
Match packets with SYN flag cleared. Choices:
|
|
Match packets with URG flag cleared. Choices:
|
|
Match packets with PSH flag set. Choices:
|
|
Match packets with RST flag set. Choices:
|
|
Match packets with SYN flag set. Choices:
|
|
Match packets with URG flag set. Choices:
|
|
Specifies remark for the ACL rule. |
|
Specifies the sequence number of the rule. The range is from 1 to 65535. |
|
Specifies the source of the packet. any, host and prefix are mutually exclusive. |
|
Match any source network address. Choices:
|
|
Network address of a single source host. |
|
Specifies the source port (valid only for TCP or UDP) Only one suboption can be specified for port_number in a rule. |
|
Match packets with source port equal to the given port number. The range is from 0 to 65535. |
|
Match packets with source port greater than the given port number. The range is from 0 to 65534. |
|
Match packets with source port lesser than the given port number. The range is from 1 to 65535. |
|
Match packets with source port in the given range. begin and end are required together. |
|
Specifies the beginning of the port range. The range is from 0 to 65534. |
|
Specifies the end of the port range. The range is from 1 to 65535. |
|
Source network prefix in the format A.B.C.D/mask (ipv4) or A::B/mask (ipv6). |
|
Match packets with the given VLAN ID value. |
|
Specifies the address family of the ACLs. Choices:
|
|
The state of the configuration after module completion.
Choices:
|
Notes
Note
Supports
check_mode
.
Examples
# Using merged
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit ipv6 host 192:168:1::2 any
# sonic#
- name: Merge provided Layer 3 ACL configurations
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test'
rules:
- sequence_num: 2
action: 'permit'
protocol:
name: 'icmp'
source:
any: true
destination:
host: '192.168.1.2'
protocol_options:
icmp:
type: 8
- sequence_num: 3
action: 'deny'
protocol:
number: 2
source:
any: true
destination:
any: true
- sequence_num: 4
action: 'deny'
protocol:
name: 'ip'
source:
any: true
destination:
any: true
vlan_id: 10
remark: 'Vlan10'
- name: 'test1'
remark: 'test_ip_acl'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'tcp'
source:
prefix: '10.0.0.0/8'
destination:
any: true
- sequence_num: 2
action: 'deny'
protocol:
name: 'udp'
source:
any: true
destination:
prefix: '20.1.0.0/16'
port_number:
gt: 1024
- sequence_num: 3
action: 'deny'
protocol:
name: 'ip'
source:
any: true
destination:
any: true
dscp:
value: 63
- address_family: 'ipv6'
acls:
- name: 'testv6'
rules:
- sequence_num: 2
action: 'deny'
protocol:
name: 'icmpv6'
source:
any: true
destination:
any: true
- name: 'testv6-1'
remark: 'test_ipv6_acl'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'ipv6'
source:
prefix: '1000::/16'
destination:
any: true
dscp:
af22: true
- sequence_num: 2
action: 'deny'
protocol:
name: 'tcp'
source:
any: true
destination:
prefix: '2000::1000:0/112'
port_number:
range:
begin: 100
end: 1000
- sequence_num: 3
action: 'permit'
protocol:
name: 'tcp'
source:
any: true
destination:
any: true
protocol_options:
tcp:
established: true
- sequence_num: 4
action: 'deny'
protocol:
name: 'udp'
source:
any: true
port_number:
eq: 3000
destination:
any: true
state: merged
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.2 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit ipv6 host 192:168:1::2 any
# seq 2 deny icmpv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
# Using replaced
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.2 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp host 3000::1 any established
# seq 2 permit udp any any
# seq 3 deny icmpv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Replace device configuration of specified Layer 3 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test2'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'tcp'
source:
prefix: '192.168.1.0/24'
destination:
any: true
- address_family: 'ipv6'
acls:
- name: 'testv6'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'tcp'
source:
host: '3000::1'
destination:
any: true
protocol_options:
tcp:
ack: true
syn: true
fin: true
- sequence_num: 2
action: 'deny'
protocol:
name: 'ipv6'
source:
any: true
destination:
any: true
state: replaced
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp host 3000::1 any fin syn ack
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
# Using overridden
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Override device configuration of all Layer 3 ACLs with provided configuration
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test_acl'
rules:
- sequence_num: 1
action: 'permit'
protocol:
name: 'ip'
source:
prefix: '100.1.1.0/24'
destination:
prefix: '100.1.2.0/24'
- sequence_num: 2
action: 'deny'
protocol:
name: 'udp'
source:
any: true
destination:
any: true
state: overridden
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test_acl
# seq 1 permit ip 100.1.1.0/24 100.1.2.0/24
# seq 2 deny udp any any
# sonic#
# sonic# show running-configuration ipv6 access-list
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Delete specified Layer 3 ACLs, ACL remark and ACL rule entries
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
acls:
- name: 'test'
rules:
- sequence_num: 2
- name: 'test2'
- address_family: 'ipv6'
acls:
- name: 'testv6-1'
remark: 'test_ipv6_acl'
rules:
- sequence_num: 3
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 4 deny udp any eq 3000 any
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Delete all Layer 3 ACLs for an address-family
dellemc.enterprise_sonic.sonic_l3_acls:
config:
- address_family: 'ipv4'
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
# Using deleted
#
# Before State:
# -------------
#
# sonic# show running-configuration ip access-list
# !
# ip access-list test
# seq 1 permit ip host 192.168.1.2 any
# seq 2 permit icmp any host 192.168.1.3 type 8
# seq 3 deny 2 any any
# seq 4 deny ip any any vlan 10 remark Vlan10
# !
# ip access-list test1
# remark test_ip_acl
# seq 1 permit tcp 10.0.0.0/8 any
# seq 2 deny udp any 20.1.0.0/16 gt 1024
# seq 3 deny ip any any dscp 63
# !
# ip access-list test2
# seq 1 permit tcp 192.168.1.0/24 any
# sonic#
# sonic# show running-configuration ipv6 access-list
# !
# ipv6 access-list testv6
# seq 1 permit tcp 3000::/16 any
# seq 2 deny ipv6 any any
# !
# ipv6 access-list testv6-1
# remark test_ipv6_acl
# seq 1 permit ipv6 1000::/16 any dscp af22
# seq 2 deny tcp any 2000::1000:0/112 range 100 1000
# seq 3 permit tcp any any established
# seq 4 deny udp any eq 3000 any
# sonic#
- name: Delete all Layer 3 ACL configurations
dellemc.enterprise_sonic.sonic_l3_acls:
config:
state: deleted
# After State:
# ------------
#
# sonic# show running-configuration ip access-list
# sonic#
# sonic# show running-configuration ipv6 access-list
# sonic#
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The resulting configuration module invocation. Returned: when changed Sample: |
|
The generated configuration module invocation. Returned: when Sample: |
|
The configuration prior to the module invocation. Returned: always Sample: |
|
The set of commands pushed to the remote device. Returned: always Sample: |